b"TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                Planning Is Underway for the Enterprise-Wide\n                Transition to Internet Protocol Version 6, but\n                         Further Actions Are Needed\n\n\n\n                                        February 27, 2014\n\n                              Reference Number: 2014-20-016\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number / 202-622-6500\n E-mail Address / TIGTACommunications@tigta.treas.gov\n Website        / http://www.treasury.gov/tigta\n\x0c                                               HIGHLIGHTS\n\n\nPLANNING IS UNDERWAY FOR THE                       technology purchases were IPv6 capable in\nENTERPRISE-WIDE TRANSITION TO                      accordance with the Federal Acquisition\nINTERNET PROTOCOL VERSION 6, BUT                   Regulation. Lastly, TIGTA found that the project\nFURTHER ACTIONS ARE NEEDED                         team received inadequate oversight from the\n                                                   Infrastructure Executive Steering Committee and\n                                                   did not adhere to the IRS\xe2\x80\x99s Enterprise Life Cycle\nHighlights                                         policy. Given the geographic dispersion of the\n                                                   IRS network and its size and complexity, the\n                                                   enterprise-wide network conversion will have a\nFinal Report issued on February 27, 2014           far-reaching impact on many IRS functions.\nHighlights of Reference Number: 2014-20-016        WHAT TIGTA RECOMMENDED\nto the Internal Revenue Service Chief\nTechnology Officer.                                TIGTA recommended that the Chief Technology\n                                                   Officer direct the project team to stand up an\nIMPACT ON TAXPAYERS                                advisory board; develop an Information\n                                                   Resources Management Strategic Plan; and\nLike any new technology standard, network          coordinate with the IRS Enterprise Life Cycle\nconversion to Internet Protocol version 6 (IPv6)   Office to better manage project documentation\nintroduces security risks if not implemented and   and schedules. TIGTA also recommended that\nmanaged properly. When the IRS\xe2\x80\x99s data and          the Chief Technology Officer coordinate with the\nnetwork are not secured, taxpayer information      IRS Procurement Office to update its policy to\nbecomes vulnerable to unauthorized disclosure,     align with the Federal Acquisition Regulation\nwhich can lead to identity theft. Furthermore,     and establish a control to prevent the purchase\nsecurity breaches can cause network disruptions    of IPv6 incapable products; coordinate with IRS\nand prevent the IRS from performing vital          business units to ensure that complete\ntaxpayer services, such as processing tax          responses to the project team\xe2\x80\x99s applications\nreturns, issuing refunds, and answering taxpayer   data call are received so that they can begin\ninquiries.                                         extensive planning for each application that will\nWHY TIGTA DID THE AUDIT                            require upgrading; assess the merits of\n                                                   transferring project oversight to another\nThe overall objective of this review was to        governance board that regularly monitors and\nassess the IRS\xe2\x80\x99s progress in converting its        provides oversight of information technology\nnetwork to IPv6 according to Office of             projects; and direct the Infrastructure Executive\nManagement and Budget requirements. This           Steering Committee to update its charter in\naudit was included in TIGTA\xe2\x80\x99s Fiscal Year 2013     order to properly reflect the current roles and\nAnnual Audit Plan and addresses the major          responsibilities of the committee.\nmanagement challenge of Security for Taxpayer\nData and Employees.                                The IRS agreed with our recommendations to\n                                                   develop an Information Resources Management\nWHAT TIGTA FOUND                                   Strategic Plan, better manage IPv6 project\n                                                   documentation, update the Infrastructure\nThe IRS established an IPv6 project team to        Executive Steering Committee charter, and\nmanage the network conversion. The project         coordinate between offices to achieve\nteam has adequately planned for security risks     procurement policy alignment with Federal\nduring the conversion but has not completed        regulations and an exchange of information\nsome elements of the transition plan. For          necessary for a successful transition to IPv6.\nexample, the IRS has not established an IPv6       The IRS updated the IPv6 Transition Plan so\nAdvisory Board or prepared a resource plan to      that existing oversight groups fulfill the purpose\nensure proper guidance and coordination within     of an advisory board. Management prefers to\nand outside of the agency on its IPv6 efforts.     continue with its current governance board\nAlso, the Procurement function did not establish   structure for this project since it provides\ncontrols to ensure that all new information        oversight for the entire IT infrastructure portfolio.\n\x0c                                            DEPARTMENT OF THE TREASURY\n                                                 WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                          February 27, 2014\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Planning Is Underway for the Enterprise-Wide\n                             Transition to Internet Protocol Version 6, but Further Actions Are\n                             Needed (Audit # 201320009)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS) progress in\n converting its network to Internet Protocol version 6 to comply with Office of Management and\n Budget requirements. This audit was included in the Treasury Inspector General for Tax\n Administration\xe2\x80\x99s Fiscal Year 2013 Annual Audit Plan and addresses the major management\n challenge of Security for Taxpayer Data and Employees. This audit was also part of our\n statutory requirement to annually review the adequacy and security of IRS technology.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix VII.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Alan R. Duncan, Assistant\n Inspector General for Audit (Security and Information Technology Services).\n\x0c                          Planning Is Underway for the Enterprise-Wide Transition to\n                         Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          The Internal Revenue Service Is Addressing the Security Risks\n          and Technical Limitations of Internet Protocol Version 6............................ Page 4\n          Key Action Items From the 2014 Internet Protocol Version 6\n          Transition Plan Need to Be Completed and Outreach Efforts\n          Need to Be Improved .................................................................................... Page 5\n                    Recommendations 1 and 2: .............................................. Page 7\n\n                    Recommendations 3 and 4: .............................................. Page 8\n\n          The Internet Protocol Version 6 Project Did Not Receive\n          Adequate Executive Oversight and Did Not Adhere to the\n          Enterprise Life Cycle in 2012 ....................................................................... Page 8\n                    Recommendations 5 through 7:......................................... Page 10\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 11\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 13\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 14\n          Appendix IV \xe2\x80\x93 Major Differences Between IPv4 and IPv6 Headers ........... Page 15\n          Appendix V \xe2\x80\x93 Enterprise Life Cycle Overview ............................................ Page 16\n          Appendix VI \xe2\x80\x93 Glossary of Terms ................................................................ Page 17\n          Appendix VII \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ..................... Page 20\n\x0c        Planning Is Underway for the Enterprise-Wide Transition to\n       Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\n\n                      Abbreviations\n\nELC            Enterprise Life Cycle\nIP             Internet Protocol\nIPv4           Internet Protocol version 4\nIPv6           Internet Protocol version 6\nIRS            Internal Revenue Service\nNIST           National Institute of Standards and Technology\nOMB            Office of Management and Budget\n\x0c                       Planning Is Underway for the Enterprise-Wide Transition to\n                      Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\n\n                                            Background\n\nIn August 2005, the Office of Management and Budget (OMB) mandated that Federal agencies\nbegin planning for the transition from Internet Protocol version 4 (IPv4) to Internet Protocol\nversion 6 (IPv6). IPv6 is not backward compatible with IPv4. It is a new network layer\nprotocol1 that provides an increased network address size of 128 bits versus 32 bits from IPv4, as\nillustrated in Figure 1. In addition to extended address space, IPv6 has many new or improved\nfeatures that make it significantly different from its IPv4 predecessor, including automatic\nconfiguration, header structure and extension headers, Internet protocol (IP) security, mobility,\nquality of service, route aggregation, and efficient transmission.2\n                 Figure 1: Comparison of IPv4 and IPv6 Addressing Scheme\n\n\n\n\n      Source: Government Accountability Office.\n\n\n\n\n1\n    See Appendix VI for a glossary of terms.\n2\n    Appendix IV shows some major differences between IPv4 and IPv6 headers.\n                                                                                           Page 1\n\x0c                      Planning Is Underway for the Enterprise-Wide Transition to\n                     Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\nOn September 28, 2010, the Federal Chief Information Officer issued a memorandum entitled\nTransition to IPv6 to all Chief Information Officers of Executive departments and agencies that\nsets forth specific deadlines for the IPv6 transition within\nthe Federal Government. Agencies were required to\n                                                               Federal agencies are required to\ndesignate an IPv6 Transition Manager who would lead all          complete the transition to IPv6\nagency IPv6 transition activities and serve as a liaison with    by the end of Fiscal Year 2014.\nthe wider Federal IPv6 effort. Agencies were also required\nto ensure that information technology procurements are in\naccordance with the Federal Acquisition Regulation regarding IPv6. The memorandum set\ndeadlines for two separate phases of the IPv6 transition. By the end of Fiscal Year 2012, all\nagencies were instructed to upgrade public and external-facing servers and services, e.g., web,\ne-mail, Domain Name System, Internet Service Provider services, etc., to operationally use IPv6.\nBy the end of Fiscal Year 2014, agencies must complete the transition by upgrading internal\nclient applications that communicate with public Internet servers and supporting enterprise\nnetworks to operationally use IPv6. The Chief Information Officers Council issued a planning\nguide3 to help agencies prepare for IPv6 deployment, and the National Institute of Standards and\nTechnology (NIST) also issued guidelines4 detailing the security benefits, risks of deployment,\nand other IPv6 technical details.\nThe Internal Revenue Service (IRS) assigned an IPv6 Transition Manager from the User\nNetwork and Services function in its Information Technology organization, and the IPv6 project\nteam met the 2012 deadline for external and customer-facing servers. However, the Registered\nUser Portal was not included in the IPv6 transition because it is undergoing an update and will\ntransition later this year. The Registered User Portal is the IRS external-facing portal that allows\nregistered individuals or their representatives and third-party users to access selected tax\nprocessing and other sensitive IRS systems, applications, and data. Regarding the 2014 deadline,\nthe IRS is planning now for the transition ahead. The enterprise-wide transition to IPv6 will\nconstitute a significant effort for the IRS due to the agency\xe2\x80\x99s size, geographic dispersion, and\ndiversity of hardware, systems, applications, and legacy equipment that must be reconfigured or\nreplaced.\nThe IPv6 project team informed us that they expect hardware and software upgrades and updates\nnecessary to facilitate the transition to be paid for through the normal technology refresh cycle,\nbut they have not yet made any attempt to quantify costs for these upgrades with respect to the\nbusiness units. The IPv6 project team itself does not have a dedicated budget allocated for\nnetwork or server equipment upgrades. During the time of this review, the project team was in\nthe process of standing up two test laboratories that will be located in Memphis, Tennessee, and\n\n\n3\n  Federal Chief Information Officers Council, Planning Guide/Roadmap Toward IPv6 Adoption within the\nU.S. Government (Jul. 2012).\n4\n  National Institute of Standards and Technology, Special Publication 800-119 Guidelines for the Secure\nDeployment of IPv6 (Dec. 2010).\n                                                                                                          Page 2\n\x0c                   Planning Is Underway for the Enterprise-Wide Transition to\n                  Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\nMartinsburg, West Virginia. Hardware for the laboratories and IPv6 patches on existing\nsoftware is expected to cost approximately $1 million.\nThis review was performed with information obtained from the IRS Information Technology\norganization\xe2\x80\x99s User and Network Services and Cybersecurity functions located in\nNew Carrolton, Maryland; Memphis, Tennessee; and Dallas, Texas, as well as the Agency-Wide\nShared Services located in Oxon Hill, Maryland, during the period January through August 2013.\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objective. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objective. Detailed information on our audit\nobjective, scope, and methodology is presented in Appendix I. Major contributors to the report\nare listed in Appendix II.\n\n\n\n\n                                                                                         Page 3\n\x0c                   Planning Is Underway for the Enterprise-Wide Transition to\n                  Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\n\n                                 Results of Review\n\nThe Internal Revenue Service Is Addressing the Security Risks and\nTechnical Limitations of Internet Protocol Version 6\nWe found that the IRS IPv6 project team successfully met the 2012 external-facing services\ndeadline and made progress in their planning efforts for the 2014 enterprise-wide effort.\nSpecifically, the IRS is adequately documenting security risks and requirements for the network\nconversion to IPv6. To date, the IPv6 project team has documented more than\n1,800 security requirements that they identified from NIST guidance and from more than\n50 Internet Engineering Task Force Request for Comments technical documents. They also\nidentified security requirements in industry best practices white papers, i.e., Microsoft and Cisco,\nand from other Federal agency guidance. The Cybersecurity team lead for the IPv6 project\nrequested an external team of IRS security engineers to audit and validate the 1,800 security\nrequirements and make suggested changes where appropriate. For all 1,800 security\nrequirements, an external team of security engineers have audited and validated the requirements\nand made suggested changes where necessary.\nOur analysis of NIST policies found five additional technical Request for Comments documents\nthat the IRS should consider. In one, the document describes a mechanism to provide a secure\nbinding between the multiple addresses with different prefixes available to a host within a\nmultihomed site. The IPv6 project team stated that they would incorporate the security\nrequirements from the five documents that we identified, and that they had already incorporated\nchanges that the external peer review team suggested. Although it is too early to determine\nwhether the IRS will securely deploy IPv6, we believe the IPv6 project team is aware of the\nmultitude of security risks, allowing them to address the security risks prior to the\nenterprise-wide network conversion.\nFurthermore, IPv6 project team personnel have identified technical limitations and are\ndeveloping solutions. For example, the IRS\xe2\x80\x99s wide area network Internet service provider is not\nIPv6 capable and will not be capable until the end of Calendar Year 2015. Therefore, for the\ntraffic between the major hubs across the country, the IPv6 project team has had to consider,\nresearch, and test alternative solutions for the wide area network. They have weighed the\ntheoretical benefits and limitations of each solution and will continue to test selected options\nduring their proof of concept test this summer. Because IPv6 will be deployed enterprise-wide,\nthe IPv6 project team has planned for several phases of testing, and not just for the traffic\nbetween hubs. The entire protocol must be tested, and certain features of IPv6 will be disabled\ndue to the characteristics of the IRS network and the increased security the agency requires for\nits data. The IPv6 project team stood up two test laboratories to pass traffic back and forth, and\n\n                                                                                             Page 4\n\x0c                   Planning Is Underway for the Enterprise-Wide Transition to\n                  Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\nbegan a production proof-of-concept test during our fieldwork. The project team drafted\nextensive test plans that are updated on an ongoing basis.\nSince the entire network will be configured to support IPv6 in 2014, and all hardware and\nsoftware must be reconfigured and readdressed, this conversion will have a far-reaching impact\non many functions in the Information Technology organization including: User and Network\nServices, Enterprise Operations, Applications Development, Cybersecurity, the Computer\nSecurity Incident Response Center, and many others. The IRS IPv6 project team developed a\ntraining plan for IPv6 and is currently in the process of updating it. To date, the project team has\nhosted three large technical summit sessions and at least eight smaller, team-specific training\nsessions that were sometimes technical and at other times more general or higher level. We\nreviewed the training slides for some of the courses the project team developed and administered\nand found them to be informative and appropriate for the audience.\n\nKey Action Items From the 2014 Internet Protocol Version 6 Transition\nPlan Need to Be Completed and Outreach Efforts Need to Be\nImproved\nThe transition to IPv6 will be complex, given the geographic dispersion of the IRS network and\nits size and diversity of software and hardware components. The IRS has developed the\n2014 IPv6 Transition Plan, which is a comprehensive document that includes identified\nstakeholders and roles and responsibilities, as well as a functional subgroup structure identified\nby the three major affected areas of the protocol conversion\xe2\x80\x94network, security, and\napplications. The plan contains sections on program scope, objectives, and strategy, as well as a\nlarge section regarding deliverables for each subgroup. While communication and outreach\nefforts have achieved partial success, the IPv6 project team has yet to complete some key actions\nlisted in the 2014 IPv6 Transition Plan.\n\nThe IRS has not established an IPv6 Advisory Board or prepared an Information\nResources Management Strategic Plan\nThe 2014 IPv6 Transition Plan states that the IRS will establish an IPv6 Advisory Board whose\nmembers will be key individuals both internal and external to the IRS who have unique and\nspecialized knowledge and experience regarding IPv6 within the Federal environment.\nInternally, these persons would hold IRS corporate knowledge that enables them to advise on the\ntechnical and cultural course of action required to meet the strategic objectives. External\nparticipants would include members of the Federal IPv6 Task Force and other Federal agencies\nwho, through their experience, can provide lessons learned and risk mitigation strategies. The\nIRS stated that it has not had a chance to stand up the Advisory Board yet, nor does it have a\ncharter. Without an Advisory Board to guide the project, the IPv6 project team lacks guidance\nand expertise from external industry experts and may miss an opportunity to proactively obtain\n\n\n                                                                                             Page 5\n\x0c                   Planning Is Underway for the Enterprise-Wide Transition to\n                  Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\nexecutive-level support from internal IRS stakeholders. Both of these groups could greatly\ncontribute to the success of the IPv6 transition.\nIn addition, the 2014 IPv6 Transition Plan identifies the need to ensure that the IPv6 transition\nefforts are consistent with the future state of the agency\xe2\x80\x99s enterprise architecture. Information\ntechnology investments should be made with consideration of IPv6 capabilities, which should be\nclearly articulated in the IRS Information Resources Management Strategic Plan. During the\ncourse of our fieldwork, we found that an Information Resources Management Strategic Plan\ndoes not exist at the IRS. The 2014 IPv6 Transition Plan also says that senior IRS executives in\ncharge of the Capital Planning and Investment Control processes must put in place the future\nenterprise objectives so that the IRS may invest in targeted architecture upgrades to maintain a\ncurrent and secure enterprise. An Information Resources Management Strategic Plan would help\nachieve this goal. At the time of our review, the IPv6 project team had not started work on\nintegrating IPv6 requirements into strategic planning.\n\nAdditional actions are necessary to ensure readiness with IPv6 procurement\nrequirements\nBeginning in 2005, the OMB mandated that Federal agencies stop buying equipment and\nsoftware that was not capable of supporting IPv6. This policy was later clarified in the Federal\nRegister and made effective December 10, 2009, and is now part of the Federal Acquisition\nRegulation. If the IRS purchases equipment or software that is not IPv6 capable, the products\nwill no longer work when the enterprise-wide IPv6 network conversion occurs at the end of\nFiscal Year 2014. This would not only be a waste of valuable resources, but could also\npotentially cause network disruption and additional resource expenditures to either replace or\nupgrade the equipment or software. To prevent this from happening, the IPv6 project team\ndeveloped suggested changes to IRS procurement policies, but procurement officials in\nAgency-Wide Shared Services did not agree with this request.\nDuring our fieldwork, we met with Agency-Wide Shared Services, and the procurement officials\nstated that they disagreed with the IPv6 project team\xe2\x80\x99s requests because they were not aware of\nthe deadline in 2014 for the IPv6 enterprise-wide network conversion, and that they did not want\nto limit their purchasing options to those vendors that could provide IPv6 capability. When we\nasked the procurement officials why they did not want to look ahead to the upcoming conversion\nand only buy products that would work in the future state of the enterprise, they further stated\nthat private sector vendors are not mandated to make these technical changes like Federal\nagencies are, and many vendors do not have the financial resources to make significant\nengineering changes.\nThe IPv6 project team has reached out to other stakeholders in order to be proactive about the\ntransition. For example, the IPv6 project team is engaged with long-term information\ntechnology projects they are aware of in order to be proactive about IPv6 capabilities and\nrequirements so that products purchased for these projects are IPv6 capable. The IPv6 project\n\n                                                                                           Page 6\n\x0c                   Planning Is Underway for the Enterprise-Wide Transition to\n                  Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\nteam also hosted ongoing biweekly meetings with stakeholders who have been identified and\ndocumented in the IPv6 Program Charter. These discussions covered general scheduling topics\nsuch as planned testing and training as well as project updates and deliverables. We also found\nthat the IPv6 project team sent out data calls to the IRS business units to obtain the most current\ninformation about existing equipment and software that might need upgrading throughout the\nagency. These data calls were only partially successful. While the IPv6 project team is not as\nconcerned about network equipment because approximately 95 percent has been identified,\nefforts are still ongoing to obtain and analyze existing applications and software. The team is\ntrying to identify all of the business applications and software in use in order to determine\nwhether they are already IPv6 capable, are upgradeable to IPv6 with updates or reconfiguration,\nor are in need of hard-coded reprogramming. For example, the IRS\xe2\x80\x99s Applications Development\nOffice provided information on 173 applications and identified 47 that require updating and only\nfour that require an engineering effort prior to the 2014 enterprise-wide network conversion to\nIPv6. This effort is still ongoing because some business units have not responded. This lack of\nresponse limits the IPv6 project team\xe2\x80\x99s ability to plan ahead for any needed engineering\nsolutions.\nWithout adherence to procurement policies and business unit input, Information Technology\norganization management cannot ensure that future procurements will be in compliance with\nIPv6 requirements.\n\nRecommendations\nRecommendation 1: The Chief Technology Officer should stand up the IPv6 Advisory\nBoard as soon as possible with both internal agency executives and industry experts as originally\ndescribed in the 2014 IPv6 Transition Plan.\n       Management's Response: The IRS disagreed with this recommendation. On\n       December 11, 2013, the IRS updated the 2014 IPv6 Transition Plan to reflect that the\n       IRS Infrastructure Executive Steering Committee and the Federal IPv6 Task Force fulfill\n       all desired advisory board functions.\n       Office of Audit Comment: Updating the 2014 IPv6 Transition Plan to reflect that the\n       IRS Infrastructure Executive Steering Committee and the Federal IPv6 Tax Force fulfill\n       advisory board functions does not provide assurance that the IPv6 project will receive\n       sufficient oversight based on the observations cited in the report.\nRecommendation 2: The Chief Technology Officer should develop and distribute an\nInformation Resources Management Strategic Plan as originally described in the 2014 IPv6\nTransition Plan and involve the Agency-Wide Shared Services\xe2\x80\x99 Information Technology\nProcurement function with the plan\xe2\x80\x99s development. This planning effort should also establish a\nprocess to communicate and incorporate future changes or enhancements to the Information\nResources Management Strategic Plan.\n\n                                                                                            Page 7\n\x0c                   Planning Is Underway for the Enterprise-Wide Transition to\n                  Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\n       Management's Response: The IRS agreed with this recommendation. The IRS will\n       revise the Information Technology Integrated Release Plan, referred to as the Information\n       Resources Management Strategic Plan in the 2014 IPv6 Transition Plan, to incorporate\n       IPv6. Information Technology Strategy and Planning and the Agency-Wide Shared\n       Services Office of Procurement will annually conduct a review of the Information\n       Technology Integrated Release Plan to update the document with future IPv6 changes.\nRecommendation 3: The Chief Technology Officer should coordinate with Agency-Wide\nShared Services executives to ensure that procurement policy and procedures are updated to\nalign with the Federal Acquisition Regulation, and establish a control that prohibits purchase of\nany equipment or software that is not IPv6 capable to ensure that the agency does not waste\nvaluable resources buying products that will not work on the converted network.\n       Management's Response: The IRS agreed with this recommendation. The\n       Agency-Wide Shared Services\xe2\x80\x99 Office of Procurement will ensure that policy and\n       procedures are updated to align with Federal Acquisition Regulations regarding IPv6\n       requirements. In partnership, Agency-Wide Shared Services and the Information\n       Technology organization will ensure that a control procedure exists to validate that\n       information technology equipment and software acquisitions are IPv6 capable in\n       accordance with Federal Acquisition Regulation IPv6 requirements.\nRecommendation 4: The Chief Technology Officer should coordinate with the business units\nto ensure that complete responses to the IPv6 applications data call are received so that the\nextensive planning for each application that will require upgrading can begin.\n       Management's Response: The IRS agreed with this recommendation. The IPv6\n       Program Management Office received complete responses to the IPv6 applications data\n       call from all business units in October 2013, and planning for application upgrades has\n       been initiated.\n\nThe Internet Protocol Version 6 Project Did Not Receive Adequate\nExecutive Oversight and Did Not Adhere to the Enterprise Life Cycle\nin 2012\nAlthough the IPv6 project team successfully implemented the technical changes and\nreconfigurations by the 2012 deadline for the external services, the project team did not adhere to\nthe IRS\xe2\x80\x99s Enterprise Life Cycle (ELC) process and did not receive adequate oversight by the\nInfrastructure Executive Steering Committee. The IRS\xe2\x80\x99s ELC process is a disciplined approach\nto manage and implement business changes through information systems initiatives and requires\nall information technology projects to achieve several milestones that must be approved by\nexecutive leadership in order to proceed. Solutions should not be deployed into production until\n\n\n\n                                                                                            Page 8\n\x0c                        Planning Is Underway for the Enterprise-Wide Transition to\n                       Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\nMilestone 5 is exited.5 The IPv6 2012 reconfigurations for external services were put into\nproduction in September 2012 despite the fact that the project has only officially exited\nMilestones 1 and 2 of the ELC process. The Infrastructure Executive Steering Committee is\nrequired to oversee this process according to project documentation.\nWe determined that this lack of ELC adherence occurred because the IPv6 project team was not\neffectively coordinating with the IRS ELC Office to properly document project artifacts and\nfollow the ELC milestone process. In addition, the IPv6 project team stated that they had\nplanned to develop separate ELC artifacts, such as requirements reports, design documentation,\nand test plans, for each of the 2012 and 2014 efforts. Because they had already deployed the\n2012 solution without fully adhering to the ELC process, we suggested that the IPv6 project team\nimmediately request official approval from the Infrastructure Executive Steering Committee to\ncombine IPv6 information for both efforts into one comprehensive set of artifacts to streamline\ntheir development and not duplicate efforts by creating similar documents for two different\nprojects. Further, because the 2012 external services IPv6 solutions were already in place and\nfunctioning properly, it is acceptable to combine any extra information from this effort into\ndocuments that are in process for the 2014 enterprise-wide effort because the project\ndocumentation for 2014 is already late. The IPv6 project team and the project\xe2\x80\x99s ELC coach\nagreed with our assessment and formally requested this change through the Infrastructure\nExecutive Steering Committee. On June 11, 2013, the Committee conducted a virtual vote and\ngranted approval for combining both IPv6 efforts into one set of ELC artifacts and project\ndocumentation.\nWe also interviewed the chairpersons of the Infrastructure Executive Steering Committee to\nobtain information about why the IPv6 ELC project documentation did not reflect completed\nproject milestones and why the project was allowed to stray from the IRS\xe2\x80\x99s ELC policy and\nprocess. The chairpersons stated that they were not aware that they were supposed to be\nmonitoring the project from the perspective of the ELC policy. We informed them that the\nCommittee\xe2\x80\x99s charter document stated that they are primarily supposed to oversee information\ntechnology projects with respect to cost, schedule, and the ELC process. They stated that they\nwere not aware of the Infrastructure Executive Steering Committee Charter, which was written in\n2008, and that it was probably out of date and not reflective of the Committee\xe2\x80\x99s current\nresponsibilities. With the increasing complexity of the current enterprise-wide transition beyond\nthe 2012 mandate which is already in place, delayed completion of the required ELC artifacts\nmay seriously jeopardize the success of the 2014 effort. The IPv6 project team needs to focus on\ndocumenting critical artifacts, including design and testing plans, in order to properly exit ELC\nmilestones with appropriate approval of IRS executives.\n\n\n\n\n5\n    See Appendix V for an overview of the ELC.\n                                                                                          Page 9\n\x0c                   Planning Is Underway for the Enterprise-Wide Transition to\n                  Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\nRecommendations\nRecommendation 5: The Chief Technology Officer should ensure that the IPv6 project team\ncoordinates with the ELC Office and takes a more proactive role of adhering to the ELC process\nand meeting project milestone deadlines to ensure the timely completion of key ELC\ndeliverables, artifacts, and processes for the critical 2014 enterprise-wide transition to IPv6.\n       Management's Response: The IRS agreed with this recommendation. Due to\n       budget and schedule constraints, a risk-based decision was made to complete ELC\n       Milestones 1 and 2 artifacts for the Fiscal Year 2012 mandate. The ELC Project Office\n       approved an IPv6 ELC Tailoring Plan in July 2013 that combined the Fiscal Year 2012\n       and Fiscal Year 2014 mandates. The IPv6 Program Management Office will complete\n       future ELC deliverables in accordance with the approved ELC Tailoring Plan.\nRecommendation 6: The Chief Technology Officer should assess the merits of transferring\nIPV6 project oversight to another entity such as the Systems Security and Privacy Executive\nSteering Committee or a management-level governance board that regularly monitors and\nprovides oversight of information technology projects. Their responsibilities should include\noversight of the critical elements of the IPv6 project\xe2\x80\x99s cost, schedule, and adherence to the ELC\nprocesses to include the adequate and timely completion of requirements, design, and testing of\nartifacts.\n       Management's Response: The IRS disagreed with this recommendation. IPv6 has\n       enterprise impact beyond security and requires oversight from a governance board that\n       takes a holistic view of the entire IRS Information Techology infrastructure portfolio, to\n       include hardware, software, and applications. The Infrastructure Executive Steering\n       Committee provides the necessary level of oversight for the IRS IPv6 implementation.\n       Office of Audit Comment: IRS management indicated that the Infrastructure\n       Executive Steering Committee provides the necessary level of oversight for the IPv6\n       project. However, IRS management did not provide any documentation or formalized\n       procedures demonstrating how the Infrastructure Executive Steering Committee regularly\n       monitors and provides oversight of information technology projects. As a result, we\n       cannot comment on whether the Infrastructure Executive Steering Committee will\n       provide the necessary level of oversight for future successes on the IRS IPv6\n       implementation.\nRecommendation 7: The Chief Technology Officer should ensure that the Infrastructure\nExecutive Steering Committee updates its charter to properly reflect the current roles and\nresponsibilities of the committee.\n       Management's Response: The IRS agreed with this recommendation. The IRS will\n       update the Infrastructure Executive Steering Committee charter to reflect the current roles\n       and responsibilities of the committee.\n\n                                                                                          Page 10\n\x0c                   Planning Is Underway for the Enterprise-Wide Transition to\n                  Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\n                                                                                   Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nOur overall objective was to assess the IRS\xe2\x80\x99s progress toward converting its network to IPv6 to\ncomply with OMB requirements. To accomplish our objective, we:\nI.     Evaluated whether the IRS converted all external and customer-facing servers and\n       services to IPv6 per the 2012 deadline set forth by the Federal Chief Information Officer.\n       A. Determined whether IRS external and customer-facing websites are accessible to\n          IPv6-enabled end systems on the public Internet. We confirmed functionality of\n          these services through NIST\xe2\x80\x99s online IPv6 monitoring tool that showed IRS websites\n          to be IPv6 capable.\n       B. Determined whether there are any external services that are not IPv6 capable. We\n          interviewed agency officials responsible for the Registered User Portal refresh\n          scheduled for fall 2013. We also obtained and reviewed schedule, design, and testing\n          documentation from the Registered User Portal project team to ensure IPv6 capability\n          is included.\nII.    Determined whether the IRS is adequately preparing for the enterprise-wide transition to\n       IPv6 that must be completed by the end of Fiscal Year 2014.\n       A. Determined whether the IRS plans adequately address IPv6 transition concerns by\n          reviewing NIST guidance and comparing this guidance to the IRS IPv6 project\n          planning documentation. We specifically determined whether the IRS documented\n          security risks for the conversion to IPv6.\n       B. Evaluated the impact of Internet service provider limitations on the ability of the IRS\n          to transition to IPv6 enterprise-wide.\n       C. Determined whether the IPv6 project team properly and timely completed key ELC\n          deliverables, artifacts, and processes. We reviewed the project\xe2\x80\x99s ELC Tailoring Plan\n          to determine the critical deliverables and artifacts that should have been completed\n          for each development phase, and obtained and reviewed these documents for\n          completion, timeliness, and sufficiency.\n       D. Determined whether IRS project documentation includes adequate planning for IPv6\n          testing by interviewing testing officials and reviewing test plans and accomplishments\n          to date.\n       E. Determined whether stakeholders are identified and whether outreach and training are\n          adequately conducted. We reviewed project documentation, including its charter and\n                                                                                          Page 11\n\x0c                   Planning Is Underway for the Enterprise-Wide Transition to\n                  Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\n           the IPv6 project team\xe2\x80\x99s communication and training plans. We also determined the\n           training conducted to date and reviewed training materials developed by the IPv6\n           project team.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the OMB, the NIST, the Federal\nAcquisition Regulation, and related IRS guidelines for information technology projects and the\nIRS\xe2\x80\x99s efforts to implement these controls in order to protect the IRS network and data during its\nnetwork conversion to IPv6. We evaluated these controls by conducting interviews and meetings\nwith IPv6 project management and stakeholders at the IRS functions responsible for\nreconfiguring, testing, and securing IPv6 throughout the agency. We also reviewed project\ndocumentation and outreach and training efforts to date.\n\n\n\n\n                                                                                         Page 12\n\x0c                  Planning Is Underway for the Enterprise-Wide Transition to\n                 Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nJoseph F. Cooney, Audit Manager\nMyron Gulley, Acting Audit Manager\nJena Whitley, Lead Auditor\nGeorge Franklin, Senior Auditor\nCindy Harris, Senior Auditor\nNicholas Reyes, Information Technology Specialist\n\n\n\n\n                                                                                     Page 13\n\x0c                 Planning Is Underway for the Enterprise-Wide Transition to\n                Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\n                                                                            Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Chief Information Officer for Operations OS:CTO\nAssociate Chief Information Officer, Applications Development OS:CTO:AD\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nAssociate Chief Information Officer, User and Network Services OS:CTO:UNS\nChief, Agency-Wide Shared Services OS:A\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                  Page 14\n\x0c                    Planning Is Underway for the Enterprise-Wide Transition to\n                   Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\n                                                                   Appendix IV\n\n  Major Differences Between IPv4 and IPv6 Headers\n\n\n\n\nSource: Government Accountability Office.\n\n\n\n\n                                                                          Page 15\n\x0c                       Planning Is Underway for the Enterprise-Wide Transition to\n                      Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\n                                                                                             Appendix V\n\n                         Enterprise Life Cycle Overview\n\nThe ELC is the IRS\xe2\x80\x99s approach to manage and implement business change through\ninformation systems initiatives. The ELC provides the direction, processes, tools, and assets\nnecessary to accomplish business change in a consistent and repeatable manner.\nFigure 1 provides an overview of the phases and milestones within the ELC. A phase is a\nbroad segment of work encompassing activities of similar scope, nature, and detail and\nproviding a natural breakpoint in the life cycle. Each phase begins with a kickoff meeting and\nends with an executive management decision point (milestone) where IRS executives make\n\xe2\x80\x9cgo/no-go\xe2\x80\x9d decisions for continuation of a project as well as considering funding requests.\n                                Figure 1: ELC Phases and Milestones\n\n                 Phase                           General Nature of Work                       Milestone\n     Vision and Strategy/Enterprise   High-level direction setting.                               0\n     Architecture Phase\n     Project Initiation Phase         Startup of development projects.                            1\n\n     Domain Architecture Phase        Specification of the operating concept,                     2\n                                      requirements, and structure of the solution.\n\n     Preliminary Design Phase         Preliminary design of all solution components.              3\n\n     Detailed Design Phase            Detailed design of solution components.                    4A\n\n     Systems Development Phase        Coding, integration, testing, and certification of         4B\n                                      solutions.\n     Systems Deployment Phase         Expanding availability of the solution to all target        5\n                                      users. This is usually the last phase for\n                                      development projects.\n     Operations and Maintenance       Ongoing management of operational systems.               System\n     Phase                                                                                    Retirement\n    Source: The ELC Internal Revenue Manual.\n\xc2\xa0\n\n\n\n                                                                                                   Page 16\n\x0c                  Planning Is Underway for the Enterprise-Wide Transition to\n                 Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\n                                                                              Appendix VI\n\n                              Glossary of Terms\n\nTerm                           Definition\n\nAgency-Wide Shared Services    An IRS organization that supports the IRS by managing\n                               resources that enable the IRS\xe2\x80\x99s business processes.\nApplication                    An information technology component of a system that\n                               utilizes information technology resources to store, process,\n                               retrieve, or transmit data or information using information\n                               technology hardware and software.\nApplications Development       A function within the IRS Information Technology\n                               organization responsible for building, testing, delivering, and\n                               maintaining integrated information applications systems or\n                               software solutions, to support modernized systems and the\n                               production environment.\nArtifact                       The tangible result (output) of an activity or task performed by\n                               a project during the ELC.\nCalendar Year                  The 12-consecutive-month period ending on December 31.\nCybersecurity                  A function within the IRS Information Technology\n                               organization responsible for ensuring compliance with Federal\n                               statutory, legislative, and regulatory requirements governing\n                               confidentiality, integrity, and availability of IRS electronic\n                               systems, services, and data.\nEnterprise Life Cycle          The approach used by the IRS to manage and implement\n                               business change through information systems initiatives. The\n                               ELC provides the direction, processes, tools, and assets\n                               necessary to accomplish business change in a consistent and\n                               repeatable manner.\nFederal Acquisition            The primary acquisition regulation for use by all Federal\nRegulation                     executive agencies in their acquisition of supplies and services\n                               with appropriated funds.\n\n\n\n                                                                                        Page 17\n\x0c                   Planning Is Underway for the Enterprise-Wide Transition to\n                  Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\n\nTerm                          Definition\n\nFederal Chief Information     The Federal Chief Information Officer heads the OMB Office\nOfficer                       of E-Government and Information Technology which\n                              develops and provides direction in the use of Internet-based\n                              technologies.\nFiscal Year                   A 12-consecutive-month period ending on the last day of any\n                              month. The Federal Government\xe2\x80\x99s fiscal year begins on\n                              October 1 and ends on September 30.\nHard-Coded                    A software development practice of embedding data directly\n                              into the source code of a program instead of obtaining that\n                              data from external sources or generating data in the program\n                              itself with the given input. The degree to which a program is\n                              hard-coded determines how difficult it is to change when each\n                              new type of data is introduced.\nInformation Technology        Any equipment or interconnected system or subsystem of\n                              equipment that is used in the automatic acquisition, storage,\n                              manipulation, management, movement, control, display,\n                              switching, interchange, transmission, or reception of data or\n                              information by an executive agency. The term information\n                              technology includes computers, ancillary equipment, software,\n                              firmware and similar procedures, services (including support\n                              services), and related resources.\nInfrastructure Executive      Governs projects within the Infrastructure portfolio to ensure\nSteering Committee            that project objectives are met, risks are managed\n                              appropriately, and the expenditure of enterprise resources is\n                              fiscally sound.\nInternet Protocol Version 4   The current version of the IP which specifies a 32-bit IP\n                              address field which will run out of available address space in\n                              the near future.\nInternet Protocol Version 6   The next generation IP which allows a 128-bit IP address field\n                              in the form of eight 16-bit integers represented as four\n                              hexadecimal digits separated by colons.\nMultihomed Site               A site, which is an entity autonomously operating a network\n                              using IP, with more than one transit provider of connectivity\n                              to the Internet.\n\n\n                                                                                      Page 18\n\x0c                    Planning Is Underway for the Enterprise-Wide Transition to\n                   Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\n\nTerm                              Definition\n\nNational Institute of Standards   The NIST, under the Department of Commerce, is responsible\nand Technology                    for developing standards and guidelines for providing\n                                  adequate information security for all Federal Government\n                                  agency operations and assets.\nOffice of Management and          The OMB\xe2\x80\x99s predominant mission is to assist the President in\nBudget                            overseeing the preparation of the Federal budget and to\n                                  supervise administration in Executive Branch agencies. The\n                                  OMB evaluates the effectiveness of agency programs,\n                                  policies, and procedures. The OMB oversees and coordinates\n                                  the Administration\xe2\x80\x99s procurement, financial management,\n                                  information, and regulatory policies.\nProject                           A group of tasks to accomplish a specific objective, with a\n                                  beginning and ending date, that is planned, monitored, and\n                                  measured; follows a life cycle process; and results in\n                                  deliverables or end products.\nProof of Concept                  A short and/or incomplete realization of a certain method or\n                                  idea to demonstrate its feasibility, or a demonstration in\n                                  principle.\nRegistered User Portal            The IRS external portal that allows registered individuals and\n                                  third-party users (collectively, \xe2\x80\x9cpartners\xe2\x80\x9d \xe2\x80\x93 registration and\n                                  login authentication required) and other individual taxpayers\n                                  or their representatives (self-authentication with shared secrets\n                                  required) access for interaction with selected tax processing\n                                  and other sensitive systems, applications, and data.\nUser Networks and Services        A function within the IRS Information Technology\n                                  organization that supplies and maintains all desk-side\n                                  (including telephone) technology, provides workstation\n                                  software standardization and security management,\n                                  inventories data-processing equipment, conducts annual\n                                  certification of assets, provides the Information Technology\n                                  Service Desk as the single point of contact for reporting an\n                                  information technology issue, and equips the Volunteer\n                                  Income Tax Assistance program.\nWide Area Network                 A communications network that covers a wide geographic\n                                  area, such as a State or country.\n\n                                                                                           Page 19\n\x0c      Planning Is Underway for the Enterprise-Wide Transition to\n     Internet Protocol Version 6, but Further Actions Are Needed\n\n\n\n                                                     Appendix VII\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                            Page 20\n\x0c Planning Is Underway for the Enterprise-Wide Transition to\nInternet Protocol Version 6, but Further Actions Are Needed\n\n\n\n\n                                                       Page 21\n\x0c Planning Is Underway for the Enterprise-Wide Transition to\nInternet Protocol Version 6, but Further Actions Are Needed\n\n\n\n\n                                                       Page 22\n\x0c Planning Is Underway for the Enterprise-Wide Transition to\nInternet Protocol Version 6, but Further Actions Are Needed\n\n\n\n\n                                                       Page 23\n\x0c"